CMI Management, a US government contractor providing facility management solutions to the US Army, leaked sensitive information from military installations. Tens of thousands of files were open for months, despite security researchers contacting the responsible authorities.
-
US Army contractor CMI Management leaked over 70,000 files including base photos, schematics, and personnel data.
-
Security researcher notified US-CERT in 2024, but the exposed military data remained publicly accessible through April 2026.
-
Leaked information includes building layouts, maintenance records, and personally identifiable information of military staff and contractors from multiple installations.
-
The exposed data could enable adversaries to map base vulnerabilities and conduct targeted phishing or social engineering attacks.
On March 16th, our research team received a tip from security researcher Arkadeep Roy, who reported a leaky directory containing sensitive US military information. According to the researcher, he discovered the issue in 2024 and notified the US-CERT (United States Computer Emergency Readiness Team).
Even though Roy received confirmation that US-CERT is “in contact with the related vendor,” our research team was able to verify that as of April, 2026, the data was still publicly exposed.
Our researchers noticed that data related to US military bases and other sites was being exposed via an Open Directory Listing Vulnerability, and that there was a lack of security controls for accessing documents in the exposed directory. According to our team, the exposed details include:
- Photos taken inside military bases
- Maintenance work orders
- Building schematics
- Personally identifiable information of military personnel
- Personally identifiable information of contractors
The US Army data leak exposed at least 70,000 files from a dataset that was being updated in real time at the time of the investigation. Our team identified the exposed directory as belonging to CMI Management Inc., a government contractor.
CMI Management has provided government facility management services for the US government for decades. The company is part of Dexterra Group, a Canadian support services company.
We have reached out to the company for comment and will update the article once we receive a reply.
Why is leaking US Army base details dangerous?
Our researchers believe leaking information from within military instalments is risky to say the least. What makes matters worse is that, according to Roy, authorities have been aware of the leak for a long time, yet data continues to leak publicly.
Curious what others think about this story? Contribute your thoughts to the debate below.
“The data leak is concerning, as sensitive US military data was stored insecurely for over a year, even after CISA was reportedly notified. This signifies that even when it comes to the military and their facilities, it is too common to find data being stored insecurely, and remediation efforts are not prioritized even after notifying the relevant authorities,” our team explained.
In the worst-case scenario, US adversaries could utilize the details for numerous nefarious purposes. For one, nation-state actors could use leaked details to create a detailed map of military bases and their layout, which might not be possible from aerial imagery alone. The schematics may even help to identify structural vulnerabilities.
Additionally, threat actors could use the leaked personal details to target both military personnel and contractors. Phishing campaigns and social engineering attacks could be utilized to gain additional access to military installations or CMI Management, a long-time partner of the US government.
Disclosure timeline:
- Tip received: March 16th, 2026
- Investigation and confirmation: March 17th, 2026
- Disclosure to CMI Management and CISA: March 18th, 2026
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked